5 Answers
5

If you're talking about a service trying to read...what object? I guess I'm missing what the AD has to do with the object in question. The best tools I've found for reading object access is filemon and regmon, and procmon, all from sysinternals. That normally gives a good overview of what's working and what's not for permission access.

We do have instances of AD policies not being read by systems periodically, and the only thing that seems to work is to:
A) reboot. It might read it next time.
B) force a refresh of the policy. It seems to be random as to when/how it takes, though, and Windows is simply FANTASTIC at giving feedback on what's happening. Ha ha!
C) work around it. For example, assigning printers to certain computers wouldn't work sometimes and would other times, so eventually we just started slapping the freeware AdPrintx on to each workstation we deploy with a batch file in the startup folder that adds default printers while bypassing the random frustration of AD.

Even something as simple as adding a computer to the domain. We're playing with Windows Deployment but the deployment tool would fail due to a permissions issues on an OU. These failures to read the OU were not visable in the AD Server's event log. However now thinking my downfall may have been only checking one of the AD servers eventlogs...
–
SkitAug 27 '09 at 3:33

Maybe. Would have to also check on the client to see if the logs there show anything, or if the deployment tool shows anything in an actual text file tracing the installation. Tracing AD interactions would get hairy because AD is spread out over other servers, so you'd have to find which server is handling the authentication/handing out policy/etc. for that particular system's interactions as far as I know. AD isn't meant to be centralized. You could look into a tool that will centralize logging and se eif that can help too, I suppose.
–
Bart SilverstrimAug 27 '09 at 13:01

Central logging is something on my wish list. The problem stemmed from Window Deployment Services, the logs on the machine being built is very confusing and didn't really indicate the problem.
–
SkitAug 28 '09 at 1:01